[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Freeipmi-devel] user permissions for running freeipmi clis

From: Andy Cress
Subject: RE: [Freeipmi-devel] user permissions for running freeipmi clis
Date: Fri, 27 Feb 2009 05:46:50 -0800


Having done a Linux to Solaris port of ipmiutil also, Linux and Solaris
both handle access to device drivers similarly.  If a program like
freeipmi wants to access a device driver, it must have root privileges.

This is also consistent with the IPMI firmware security for the local
system interface, where configuration and reset capability does not
require a password locally (that's how the password is set :).  The
utilities cannot open /dev/bmc to access the driver without root
privileges.  Unfortunately, Windows is insecure in this paradigm,
requiring extra safeguards, but that's another topic.  

If you really want to enable non-root users to read (but not write) IPMI
data, you could set up a proxy to control access to the device driver
via /dev/bmc, and manage requests from non-root users, but you would
definitely want to restrict non-root users from writing any IPMI data
through the proxy.

Note that IPMI LAN access always requires an IPMI user/password, so
non-root users can use it that way because they have access control.


-----Original Message-----
From: address@hidden
[mailto:address@hidden On
Behalf Of Michal Bachorik - Sun Microsystems - Prague Czech Republic
Sent: Friday, February 27, 2009 6:28 AM
To: address@hidden
Subject: [Freeipmi-devel] user permissions for running freeipmi clis

Hi all,

we are trying to port freeipmi on opensolaris (most of the stuff done,
just paperwork remains) and we need to clarify one thing - freeipmi
requires (at least our ported version) an user with root permissions to
run certain commands. As we are using solaris BMC driver, we first
thought that the problem is in BMC driver but according the information
form some other (more BMC driver skilled guys) this is not the reason
and they suspect that it is matter of how freeipmi interprets the IPMI
user security.

Can some shed more light into it, please? Is it freeipmi who needs root

Here is brief output how freeipmi clis behave when run under a non-root

-->cd /usr/sbin/
-->ls -la bmc-*
-rwxr-xr-x   1 root     bin      1050148 Feb 19 19:09 bmc-config
-rwxr-xr-x   1 root     bin       514956 Feb 19 19:09 bmc-device
-rwxr-xr-x   1 root     bin       487364 Feb 19 19:09 bmc-info
-rwxr-xr-x   1 root     bin       339560 Feb 19 19:09 bmc-watchdog
-->ls -la ipmi-*
-rwxr-xr-x   1 root     bin       527748 Feb 19 19:09 ipmi-chassis
-rwxr-xr-x   1 root     bin       677276 Feb 19 19:09
-rwxr-xr-x   1 root     bin       679640 Feb 19 19:09 ipmi-fru
-rwxr-xr-x   1 root     bin       138348 Feb 19 19:10 ipmi-locate
-rwxr-xr-x   1 root     bin       471508 Feb 19 19:09 ipmi-oem
-rwxr-xr-x   1 root     bin       474672 Feb 19 19:09 ipmi-raw
-rwxr-xr-x   1 root     bin       641740 Feb 19 19:09 ipmi-sel
-rwxr-xr-x   1 root     bin       736188 Feb 19 19:10 ipmi-sensors
-rwxr-xr-x   1 root     bin       828848 Feb 19 19:10

<non-root-user>@ge2:/usr/sbin> ./bmc-config --checkout
./bmc-config: permission denied
<non-root-user>@ge2:/usr/sbin> ./bmc-device --get-acpi-power-state
./bmc-device: permission denied
<non-root-user>@ge2:/usr/sbin> ./bmc-device --get-lan-statistics
./bmc-device: permission denied
<non-root-user>@ge2:/usr/sbin> ./bmc-info
./bmc-info: permission denied
<non-root-user>@ge2:/usr/sbin> ./bmc-watchdog -g
bmc-watchdog: Error opening logfile
'/var/log/freeipmi/bmc-watchdog.log': Permission denied
<non-root-user>@ge2:/usr/sbin> ./ipmi-chassis --get-status
./ipmi-chassis: permission denied
<non-root-user>@ge2:/usr/sbin> ./ipmi-chassis-config --checkout
./ipmi-chassis-config: permission denied <non-root-user>@ge2:/usr/sbin>
./ipmi-fru -V ipmi-fru - 0.7.4 Copyright (C) 2007-2008 Lawrence
Livermore National Security, LLC.
Copyright (C) 2007 The Regents of the University of California.
This program is free software; you may redistribute it under the terms
of the GNU General Public License.  This program has absolutely no
<non-root-user>@ge2:/usr/sbin> ./ipmi-locate
./ipmi-locate: permission denied
<non-root-user>@ge2:/usr/sbin> ./ipmi-oem -L OEM ID: supermicro
   Command: reset-intrusion - reset motherboard intrusion flag.

<non-root-user>@ge2:/usr/sbin> ./ipmi-sel -i
./ipmi-sel: permission denied
<non-root-user>@ge2:/usr/sbin> ./ipmi-sensors
./ipmi-sensors: permission denied
<non-root-user>@ge2:/usr/sbin> ./ipmi-sensors-config --checkout
./ipmi-sensors-config: permission denied <non-root-user>@ge2:/usr/sbin>
./ipmimonitoring: permission denied
<non-root-user>@ge2:/usr/sbin> ./ipmiping -i 1 ge2 ipmiping ge2
( response timed out: rq_seq=25 response timed out:
rq_seq=26 response timed out: rq_seq=27 response timed out: rq_seq=28
^C--- ipmiping ge2 statistics ---
5 requests transmitted, 0 responses received in time, 100.0% packet loss
<non-root-user>@ge2:/usr/sbin> ./ipmipower -h ge2 -s
ge2: connection timeout



The information contained in this document is CONFIDENTIAL and property of 
Kontron. Any unauthorized review, use, disclosure or distribution is prohibited 
without express written consent of Kontron. If you are not the intended 
recipient, please contact the sender and destroy all copies of the original 
message and enclosed attachments.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]